Merge branch '1522-feature-request-package-specific-git-creds' into 'master'

Resolve "Feature Request: Package Specific Git Creds" Closes #1522 and #1712 See merge request !3059

Merge branch '1522-feature-request-package-specific-git-creds' into 'master'
5b51a841 · Christopher O'Connell · 21203819 · 1373ebe6 · 5b51a841 · 5b51a841
Commit 5b51a841 authored 1 year ago by Christopher O'Connell
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -54,9 +54,9 @@ branch: {{ .branch | quote }}
 {{- end -}}

 {{/*
-Build the appropriate git credentials secret for private git repositories
+Build the appropriate git credentials secret for BB wide git repositories
 */}}
-{{- define "gitCreds" -}}
+{{- define "gitCredsGlobal" -}}
 {{- if .Values.git.existingSecret -}}
 secretRef:
  name: {{ .Values.git.existingSecret }}
@@ -67,6 +67,30 @@ secretRef:
 {{- end -}}
 {{- end -}}

+{{/*
+Build the appropriate git credentials secret for individual package and BB wide private git repositories
+*/}}
+{{- define "gitCredsExtended" -}}
+{{- if .packageGitScope.existingSecret -}}
+secretRef:
+  name: {{ .packageGitScope.existingSecret }}
+{{- else if and (.packageGitScope.credentials) (coalesce .packageGitScope.credentials.username .packageGitScope.credentials.password .packageGitScope.credentials.caFile .packageGitScope.credentials.privateKey .packageGitScope.credentials.publicKey .packageGitScope.credentials.knownHosts "") -}}
+{{- /* Input validation happens in git-credentials.yaml template */ -}}
+secretRef:
+  name: {{ .releaseName }}-{{ .name }}-git-credentials
+{{- else -}}
+{{/* If no credentials are specified, use the global credentials in the rootScope */}}
+{{- include "gitCredsGlobal" .rootScope }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Pointer to the appropriate git credentials template
+*/}}
+{{- define "gitCreds" -}}
+{{- include "gitCredsGlobal" . }}
+{{- end -}}
+
 {{/*
 Build common set of file extensions to include/exclude
 */}}
@@ -306,3 +330,57 @@ bigbang.dev/istioVersion: {{ .Values.istio.helmRepo.tag }}{{ if .Values.istio.en
    {{- printf "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" $cert -}}
  {{- end -}}
 {{- end -}}
+
+{{- /*
+Returns the git credentails secret for the given scope and name
+*/ -}}
+{{- define "gitCredsSecret" -}}
+{{- $name := .name }}
+{{- $releaseName := .releaseName }}
+{{- $releaseNamespace := .releaseNamespace }}
+{{- with .targetScope -}}
+{{- if and (eq .sourceType "git") .enabled }}
+{{- if .git }}
+{{- with .git -}}
+{{- if not .existingSecret }}
+{{- if .credentials }}
+{{- if coalesce  .credentials.username .credentials.password .credentials.caFile .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
+{{- $http := coalesce .credentials.username .credentials.password .credentials.caFile "" }}
+{{- $ssh := coalesce .credentials.privateKey .credentials.publicKey .credentials.knownHosts "" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $releaseName }}-{{ $name }}-git-credentials
+  namespace: {{ $releaseNamespace }}
+type: Opaque
+data:
+  {{- if $http }}
+  {{- if .credentials.caFile }}
+  caFile: {{ .credentials.caFile | b64enc }}
+  {{- end }}
+  {{- if and .credentials.username  (not .credentials.password ) }}
+  {{- printf "%s - When using http git username, password must be specified" $name | fail }}
+  {{- end }}
+  {{- if and .credentials.password  (not .credentials.username ) }}
+  {{- printf "%s - When using http git password, username must be specified" $name | fail }}
+  {{- end }}
+  {{- if and .credentials.username .credentials.password }}
+  username: {{ .credentials.username | b64enc }}
+  password: {{ .credentials.password | b64enc }}
+  {{- end }}
+  {{- else }}
+  {{- if not (and (and .credentials.privateKey .credentials.publicKey) .credentials.knownHosts) }}
+  {{- printf "%s - When using ssh git credentials, privateKey, publicKey, and knownHosts must all be specified" $name | fail }}
+  {{- end }}
+  identity: {{ .credentials.privateKey | b64enc }}
+  identity.pub: {{ .credentials.publicKey | b64enc }}
+  known_hosts: {{ .credentials.knownHosts | b64enc }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/chart/templates/anchore/git-credentials.yaml
+++ b/chart/templates/anchore/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "anchore"
+  "targetScope" .Values.addons.anchore
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/anchore/gitrepository.yaml
+++ b/chart/templates/anchore/gitrepository.yaml
 {{- if and (eq .Values.addons.anchore.sourceType "git") .Values.addons.anchore.enabled  }}
+{{- $gitCredsDict := dict
+  "name" "anchore"
+  "packageGitScope" .Values.addons.anchore.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -10,5 +16,5 @@ spec:
  ref:
    {{- include "validRef" .Values.addons.anchore.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/argocd/git-credentials.yaml
+++ b/chart/templates/argocd/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "argocd"
+  "targetScope" .Values.addons.argocd
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/argocd/gitrepository.yaml
+++ b/chart/templates/argocd/gitrepository.yaml
 {{- if and (eq .Values.addons.argocd.sourceType "git") .Values.addons.argocd.enabled  }}
+{{- $gitCredsDict := dict
+  "name" "argocd"
+  "packageGitScope" .Values.addons.argocd.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.addons.argocd.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/authservice/git-credentials.yaml
+++ b/chart/templates/authservice/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "authservice"
+  "targetScope" .Values.addons.authservice
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/authservice/gitrepository.yaml
+++ b/chart/templates/authservice/gitrepository.yaml
 {{- if and .Values.istio.enabled (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- $gitCredsDict := dict
+  "name" "authservice"
+  "packageGitScope" .Values.addons.authservice.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.addons.authservice.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/cluster-auditor/git-credentials.yaml
+++ b/chart/templates/cluster-auditor/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "clusterAuditor"
+  "targetScope" .Values.clusterAuditor
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/cluster-auditor/gitrepository.yaml
+++ b/chart/templates/cluster-auditor/gitrepository.yaml
 {{- if and (eq .Values.clusterAuditor.sourceType "git") (not .Values.offline) .Values.clusterAuditor.enabled }}
+{{- $gitCredsDict := dict
+  "name" "clusterAuditor"
+  "packageGitScope" .Values.clusterAuditor.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.clusterAuditor.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/eck-operator/git-credentials.yaml
+++ b/chart/templates/eck-operator/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "eckOperator"
+  "targetScope" .Values.eckOperator
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/eck-operator/gitrepository.yaml
+++ b/chart/templates/eck-operator/gitrepository.yaml
 {{- if and (eq .Values.eckOperator.sourceType "git") (not .Values.offline) (or .Values.eckOperator.enabled .Values.elasticsearchKibana.enabled) }}
+{{- $gitCredsDict := dict
+  "name" "eckOperator"
+  "packageGitScope" .Values.eckOperator.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.eckOperator.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/elasticsearch-kibana/git-credentials.yaml
+++ b/chart/templates/elasticsearch-kibana/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "elasticsearchKibana"
+  "targetScope" .Values.elasticsearchKibana
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/elasticsearch-kibana/gitrepository.yaml
+++ b/chart/templates/elasticsearch-kibana/gitrepository.yaml
 {{- if and (eq .Values.elasticsearchKibana.sourceType "git") (not .Values.offline) ( .Values.elasticsearchKibana.enabled ) }}
+{{- $gitCredsDict := dict
+  "name" "elasticsearchKibana"
+  "packageGitScope" .Values.elasticsearchKibana.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.elasticsearchKibana.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/fluentbit/git-credentials.yaml
+++ b/chart/templates/fluentbit/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "fluentbit"
+  "targetScope" .Values.fluentbit
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/fluentbit/gitrepository.yaml
+++ b/chart/templates/fluentbit/gitrepository.yaml
 {{- if and (eq .Values.fluentbit.sourceType "git") (not .Values.offline) (.Values.fluentbit.enabled) }}
+{{- $gitCredsDict := dict
+  "name" "fluentbit"
+  "packageGitScope" .Values.fluentbit.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.fluentbit.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/fortify/git-credentials.yaml
+++ b/chart/templates/fortify/git-credentials.yaml
+{{- $pkg := "fortify" }}
+{{- $gitCredsSecretDict := dict
+  "name" $pkg
+  "targetScope" (get .Values.addons $pkg)
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/fortify/gitrepository.yaml
+++ b/chart/templates/fortify/gitrepository.yaml
 {{- $pkg := "fortify" }}
 {{- if and (eq (get .Values.addons $pkg).sourceType "git") (not .Values.offline) (get .Values.addons $pkg).enabled }}
+{{- $gitCredsDict := dict
+  "name" $pkg
+  "packageGitScope" (get .Values.addons $pkg).git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -11,5 +17,5 @@ spec:
  ref:
    {{- include "validRef" (get .Values.addons $pkg).git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/gatekeeper/git-credentials.yaml
+++ b/chart/templates/gatekeeper/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "gatekeeper"
+  "targetScope" .Values.gatekeeper
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/gatekeeper/gitrepository.yaml
+++ b/chart/templates/gatekeeper/gitrepository.yaml
 {{- if and (eq .Values.gatekeeper.sourceType "git") (not .Values.offline) (or .Values.gatekeeper.enabled .Values.clusterAuditor.enabled) }}
+{{- $gitCredsDict := dict
+  "name" "gatekeeper"
+  "packageGitScope" .Values.gatekeeper.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -14,5 +20,5 @@ spec:
  ref:
    {{- include "validRef" .Values.gatekeeper.git | nindent 4 }}
  {{ include "gitIgnore" . }}
-  {{- include "gitCreds" . | nindent 2 }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
 {{- end }}
--- a/chart/templates/gitlab-runner/git-credentials.yaml
+++ b/chart/templates/gitlab-runner/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "gitlabRunner"
+  "targetScope" .Values.addons.gitlabRunner
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}